I was wondering if someone could help me define a signature to alert when a packet is discovered which contains a RST flag along with any of the other flags set, i.e a packet with RST and URG / RST and SYN etc.
alert tcp any any → any any (msg:“RST + Other Flags TEST”; flags:R*UAPRSF; sid:153235;)
This is what i’m trying after reading the flag docs.
doc says: * match if any of the bits are set. From my understanding that means if R and any flag defined after the " * " is set, it will trigger, but it does not.
Looking at the code, I think flags:R*; should do what you want. I should return true if RST flag is set, regardless of any other flags that may be set.
I don’t think you can express this in a single flags statement. However, and I haven’t tried this, you could try doing something like: flags:R*; flags:UAPSF12*;
The first condition should match if R is set alone or with others. The 2nd condition should match if any or all of the other flags are set.